Thus spake Georg Koppen (g.koppen@jondos.de):
today, I read that blog post:
http://www.guerilla-ciso.com/archives/2049
It is talking about the rise of slow DOS attacks and that Tor could play an important role in it (in fact the post links to an already existing tool for this attack properly configured to get used with Tor). As one of the defenses (granted the last one on his list) the author mentions:
"Block TOR exit nodes before the traffic reaches your webservers (IE, at layer 3/4)."
Heh, guy describes an attack that can bring down a webserver from a coffeeshop and his solution is to block Tor. I love people like this. If he was just listing it for completeness, he should also have recommended a national open wireless and open proxy registry, so everyone can block that too. You know, to stop attacks. At least it was last on the list..
This attack definitely sounds like it should be mitigated by Apache config options, and possibly also some form of load-based connection pruning support in Apache itself for use when the server comes close to the MaxClients limit.
Well, as this is not good for the Tor network and makes it unnecessary easy for censors to argue for blocking Tor ("we just want to defend us against slow DOS attacks") I am wondering whether there is already some effort under way to detect and ban such kind of traffic. Or should there be such effort at all?
There have been proposals to run IDSs at exit nodes before. In theory, they can be supported by the Tor protocol without damaging traffic: https://lists.torproject.org/pipermail/tor-relays/2011-March/000675.html
So far no one seems interested in doing exit IDS the right way though. We probably have a few exit operators running IDSs already, but they are doing so at risk of being BadExited if they are discovered to be interfering with *any* amount of normal traffic.
In general though, the belief is that this is not really our job. If an attack is possible through Tor, blocking Tor or making Tor illegal is akin to burying your head in the ground. Sure, you might stop the script kiddie who ran their attack script with 'torsocks' today, but some other attacker will knock your site over from a coffee shop or open proxy tomorrow.
This core philosophy is the basis behind the abuse template set for exit operators: https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates
This philosophy obviously puts us at odds with all the DNSRBL/honeypot folks out there that believe that vigilante justice should be metered out by threatening and spamming ISP abuse departments into pulling the plug on "noisy" IP addresses, but we believe they are just wasting their lives playing wack-a-mole. I guess if it makes them feel better, that's great for them. Everybody deserves their Prozac. But they're not really solving any real problems.
Fix the software. Don't fight brain damge with network damage.